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PROBLEM TO BE SOLVED: To 
provide a network attack protection 
ystem which can be effective to the 
attack by a scanner attacldng totally, 
can unnecessitate the change of a 
server program and can quickly 
respond to the contents of the attack. 

SOLUTION: Communication data 
transmitted from an external network 
2 are sampled by input data monitors 
11a and 1 lb. When an inference 
engine 12 detects matching between 
the pattern of communication data 
sampled by these input data monitors 
11a and lib and an attack pattern 
stored in the inference engine 12, the 
rate a of shaping traffic with a traffic 
shaper 3 is controlled. 
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(54) [Title of Invention] Network Attack Control System using Traffic Shiaping 
(57) Abstract 

[Problem to be Resolved] To provide a network traffic attack control system using traffic 
shaping which is effective in scanning and other types of attack using a network, which 
eliminates the need to change a server program and which is capable of instantly responding to 
the contents of the attack. 

[Means of Resolving the Problem] Communications data transmitted from an external network 
2 is gathered using input monitor 1 la and input monitor 1 lb. When inference engine 12 detects 
whether or not there is a match between the communications data patterns gathered using these 
input data monitors 11a and 1 lb and the attack patterns stored in inference engine 12, it controls 
the rate a which shapes the traffic using traffic shaper 13, 

[captions for diagram on first page] 
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Specification 

[Scope of Patent Claim] 

[Claim 1] A network attack control system using traffic shaping which is made up of: 

(1) an input monitor which gathers communications data from an external network; 

(2) an inference engine in which the attack pattems for the computer have been stored in advance 
and which detects the aforementioned communications data pattems which have been gathered 
using the aforementioned input data monitor and which determines whether or not the 
aforementioned conununications data is an attack on the computer by checking to see if the 
aforementioned conmiunication data pattems which have been detected match with the attack 
pattems stored; and 

(3) a traffic shaper which controls the rate at which the aforementioned inference engine shapes 
the traffic when the pattems of the attack on the computer are detected from the aforementioned 
communications data pattems; 

[Claim 2] The composition of Claim 1 wherein the aforementioned traffic shaper which makes 
the rate a-which shapes the traffic when a match between the aforementioned communications 
data pattems and the aforementioned attack pattems is detected using the aforementioned 
inference engine-a fixed value (0 < a < 1); 

[Claim 3] The composition of Claim 1 wherein the aforementioned traffic shaper multiplies by a 
times the data from the client to the server when a match between the aforementioned 
communications data pattems and the aforementioned attack pattems is detected using the 
aforementioned inference engine; 

[Claim 4] The composition of Claim 1 wherein the aforementioned traffic shaper multiplies by a 
times the amount of traffic from the server to the client when a match between the 
aforementioned communications data pattems and the aforementioned attack pattems is detected 
using the aforementioned inference engine; 

[Claim 5] The composition of Claim 1 wherein the aforementioned traffic shaper returns to the 
original fixed value (0 < a < 1) the rate a which shapes the traffic when the aforementioned 
communications data which is the source of the attack which has been detected by the 
aforementioned inference engine is completed. 

[Detailed Description of the Invention] 
[0001] 

[Field of the Invention] The present invention relates to a network attack control system which 
shapes the traffic, prolongs the time of transition to the next attack on the host computer 
(hereinafter referred to as "host") so that the time of attack on the other host can be prolonged, 
the attack on the host can be analyzed and the information which is required to specify the 
criminal attacker can be obtained. 



[0002] 

[Description of the Prior Art] In keeping with the dissemination of the Internet and other 
public networks, theft of information and unauthorized use of the information and other crimes 
using networks is growing by leaps and bounds. The Internet is becoming flooded with 
programs used to gain unauthorized access and with tools which attempt to carry out blanket 
attacks [on the networks] and discover holes in the security are proliferating. Currently there is a 
strong need for countermeasures which can handle these attack tools and a variety of tests have 
been carried out for these countermeasures. 

[0003] [Japanese] Laid-Open Patent No. 02-302139 discloses a network security [system] which 
checks the destination address and the source address of the communications data on the 
connected parts among multiple networks and is provided with a means which is used to prevent 
unauthorized access and which cuts off unauthorized access according to the contents in which 
the access authority has been recorded. 

[0004] In addition, network systems which aire configured in LANs or public networks and other 
transmission media contain security systems which specify whether or not the terminals which 
have been granted access without the proper authorization are connected to the LAN by zeroing 
in on which port of the relay devices the terminals which have been granted unauthorized access 
are connected to based on the alarm information for the monitoring device and the access history 
information held by each of the relay devices. 

[0005] 

[Problems Which the Present Invention Attempts to Resolve] However, when the systems 
mentioned in the pubhcation were used, none of them were useful as direct countermeasures for 
handling the attack on the host. The prior-art network attack control systems presented the 
following problems. 

[0006] When "port scanning" and the like were used for the Internet servers comprehensively, 
there was a concept of "cutting off " access to these using packet filtering and the like. However, 
in this case, there were problems in that cutting off access oftentimes meant an opportunity [for 
the attacker] to immediately switch over to the next attack. As a result, the attacker could detect 
the service port and the like within a short period of time and the attacker could rapidly go to the 
next attack. 

[0007] Although there were prior-art methods of cutting off the attacks, these methods were 
problematical in that the connection with the attacking source was immediately cut off and the 
attacker could figure out which [target] he/she could attack next. 

[0008] It is an object of the present invention to resolve the problems in the prior art systems 
mentioned above by providing a network attack control system which is capable of prolonging 
the attack time per server, which is effective in using scanning and other comprehensive methods 
to attack the attacker, which eliminates the need to change the server program, which eliminates 
the need to introduce a detection module to the server and which uses traffic shaping which 
makes it possible to inunediately take care of the contents of the attack. 



[0009] 

[Means Used to Resolve these Problems] In order to attain the aforementioned objectives, the 
network attack control system in the present invention is provided with: (1) an input monitor 
which gathers the communications data from an external network; (2) an inference engine in 
which the attack patterns for the computer have been stored in advance and which detects the 
aforementioned communications data patterns which have been gathered using the 
aforementioned input data monitor and which determines whether or not the aforementioned 
communications data constitute an attack on the computer by checking to see if there is a match 
between the aforementioned communication data patterns and the attack patterns stored; and (3) 
a traffic shaper which controls the rate at which the aforementioned inference engine shapes the 
traffic when the patterns of the attacks on the computer are detected from the aforementioned 
communications data patterns. 

[0010] In the present invention, when the conmiunications data which have been transmitted 
from an external network by an input data monitor are gathered, the communication data 
patterns gathered are detected by the inference engine. The communications data patterns 
detected determine whether or not there is a match with the patterns of attack on the computer 
which have been stored in the inference engine beforehand. When it determines that the 
detection results, ttie attack patterns and the communications data patterns all match, the rate a 
which shapes the traffic is thus controlled. 

[0011] As a result, when the present invention is used, the attack time per server can be 
prolonged, the invention is effective in scanning and other types of comprehensive attacks [on 
computer systems], the need to change the server program is eliminated, the need to introduce a 
detection module in the server is eliminated and the invention can take care of the contents of the 
attack itself. 

[0012] 

[Embodiments of the Present Invention] Next, we shall use diagrams to explain practical 
embodiments of the network attack control system which uses the traffic shaper in the present 
invention. Figure 1 is a block diagram of the configuration of the first practical embodiment of 
the present invention. In Figure 1, the practical embodiment is provided with a control device 1. 

No special arrangements are required for client X, client Y and for servers A, B N as 

computers. 

[0013] The control device 1 is configured of (1) an inference engine 12 which detects the 
communications data patterns which were obtained by using an input data monitor 11a and an 
input data monitor lib which gather communications data from the external network 2 and 
which determines whether or not there has been an attack; and (2) a traffic shaper 13 which 
controls the rate at which the traffic is shaped. The inference engine 12 stores the attack patterns 
beforehand and detects whether or not there is a match with the communications data patterns 
detected by using input data monitor 1 la and input data monitor 1 lb and the attack pattern itself 
using the inference engine 12 so that the attack can be detected. The traffic shaper stores the 
rate a (0 < a < 1) which shapes the traffic when an attack is detected. 



[0014] Next, we shall use the flowchart in Figure 2 to explain how the practical embodiment 
which is configured as indicated above operates. In step 1 in Figure 2, the communications data 
which have been transferred from client X and client Y through the external network 2 is 
gathered by the input data monitors 1 la and 1 lb. The communications data used by these input 
data monitors 11a and lib are detected by the inference engine 12. 

[0015] An A - N server attack pattern is stored beforehand in this inference engine 12, When the 
inference engine 12 detects the communications data which are used by input data monitors 1 la 

and 1 lb, it detects whether or not there is a match between the communications data patterns 
detected and the attack patterns themselves. At this time, the above-mentioned step SI is 
executed repeatedly until attack pattern-like communications data gathered from input data 
monitors 11a and lib have been detected. 

[0016] When the inference engine 12 detects that there is a match between the communications 
data patterns and the attack pattems while the communications data gathered using input 
monitors 11a and lib are being detected, in Step S 2, the inference engine 12 gives notice that an 
attack pattern against the traffic shaper 13 has been detected. When the traffic shaper 13 
receives this notification, the traffic is shaped by a multiple of a. 

[0017] In this shaping mode, access from client Y in Figure 1 to server A corresponds to this. 
This traffic shaper 13 takes the communications data from client Y to server A and changes them 
from a multiple of [1 : 1] to a multiple of [1 : a] and likewise takes the traffic from server A to 
client Y and changes it from a multiple of [1 : a] to a multiple of [a : 1]. In step S 3, when the 
inference engine 12 detects that the traffic detected using the inference engine 12 is continuing, 
in step S 4, the traffic shaper determines whether or not the rate of traffic has been reduced. If 
the traffic shaper 13 has not reduced the rate of traffic, the user must then return to the 
processing in step 3. 

[0018] In addition, if the shape of the traffic has changed (reduced) the rate of traffic in step S4, 
in step S 5, it changes the fixed rate (0 < a <1) of the traffic and the user must return to the 

processing in step S 2. Meanwhile, in step S 3 above, when inference engine 12 has detected 
that the communications data from the attack source address which has been detected has been 
completed, in step S 6, the inference engine 12 returns the traffic shaping to the fixed value (0 < 
a <1): 

[0019] 

[Effectiveness of the Invention] 

When the present invention is used and when it has been detected that the communications data 
and the attack pattems stored in the inference engine beforehand coincide, the attack traffic is 
reduced by the traffic shaping so that the retention time for the connection can be prolonged and 
the attacking time per server can be increased. Reducing the attack time per server is effective in 
scanning and other types of comprehensive attacks [on computer systems]. In addition, the need 
to change the server program is eliminated arid concentrated detection of attacks at a single 
location can be carried out so that the need to introduce a detection module to the respective 
serves is eliminated. In addition, by using shaping to gain time, the contents of the attack can be 



observed with time to spare from the server log thereby making it possible to handle the contents 
of the attack. 

[Brief Explanation of Figures] 

[Figure 1] This is a block diagram of the configuration of the first practical embodiment of the 
network attack control system using traffic shaping in the present invention. 

[Figure 2] This is a flowchart indicating how the network attack control system using the traffic 
shaping indicated in Figure 1 works. 

[Explanation of Numerals] 

1 control device; 2...extemal network; 11a, llb...input data monitors; 12.,.inference engine; 

13...traffic shaper; A - N....server; X, Y...clients. 



tl 



[Figure 2] 
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